Implement basic auth middleware
This commit is contained in:
Brian Picciano
parent
56530a8a66
commit
8da42184eb
72
srv/src/api/auth.go
Normal file
72
srv/src/api/auth.go
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/bcrypt"
|
||||||
|
)
|
||||||
|
|
||||||
|
// NewPasswordHash returns the hash of the given plaintext password, for use
|
||||||
|
// with Auther.
|
||||||
|
func NewPasswordHash(plaintext string) string {
|
||||||
|
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 12)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
return string(hashedPassword)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Auther determines who can do what.
|
||||||
|
type Auther interface {
|
||||||
|
Allowed(username, password string) bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type auther struct {
|
||||||
|
users map[string]string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewAuther initializes and returns an Auther will which allow the given
|
||||||
|
// username and password hash combinations. Password hashes must have been
|
||||||
|
// created using NewPasswordHash.
|
||||||
|
func NewAuther(users map[string]string) Auther {
|
||||||
|
return &auther{users: users}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *auther) Allowed(username, password string) bool {
|
||||||
|
|
||||||
|
hashedPassword, ok := a.users[username]
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
err := bcrypt.CompareHashAndPassword(
|
||||||
|
[]byte(hashedPassword), []byte(password),
|
||||||
|
)
|
||||||
|
|
||||||
|
return err == nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func authMiddleware(auther Auther, h http.Handler) http.Handler {
|
||||||
|
|
||||||
|
respondUnauthorized := func(rw http.ResponseWriter) {
|
||||||
|
rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
|
||||||
|
rw.WriteHeader(http.StatusUnauthorized)
|
||||||
|
}
|
||||||
|
|
||||||
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
username, password, ok := r.BasicAuth()
|
||||||
|
|
||||||
|
if !ok {
|
||||||
|
respondUnauthorized(rw)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if !auther.Allowed(username, password) {
|
||||||
|
respondUnauthorized(rw)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
h.ServeHTTP(rw, r)
|
||||||
|
})
|
||||||
|
}
|
||||||
21
srv/src/api/auth_test.go
Normal file
21
srv/src/api/auth_test.go
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestAuther(t *testing.T) {
|
||||||
|
|
||||||
|
password := "foo"
|
||||||
|
hashedPassword := NewPasswordHash(password)
|
||||||
|
|
||||||
|
auther := NewAuther(map[string]string{
|
||||||
|
"FOO": hashedPassword,
|
||||||
|
})
|
||||||
|
|
||||||
|
assert.False(t, auther.Allowed("BAR", password))
|
||||||
|
assert.False(t, auther.Allowed("FOO", "bar"))
|
||||||
|
assert.True(t, auther.Allowed("FOO", password))
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user